Solved

Account Lockout

Posted on 2011-03-08
7
377 Views
Last Modified: 2012-05-11
I have a few user accounts.  Mine being one of them that keep getting locked out.  I checked the security logs on the system and it is constantly coming from a single machine on the network.  This just started today.  If I turn the machine off then all is well.  If I turn it back on...  well I'm guessing one of the services is using credentials.  The other is a user that is no longer with the company, and who's account has been disabled for quite some time.  Is there a way I can find out what services are using these credentials on the server??  Any guidance would be greatly appreciated.
0
Comment
Question by:Infamous_Q
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 35075064
0
 
LVL 3

Expert Comment

by:Rhyseh
ID: 35075145
We had a similar issue some years ago where one of our servers missed an update and got a malware infection. It then proceeded to attempt and brute force its way into our network by repeatedly sending validation requests with random users account names. This cause the accounts to become locked.

We fixed this by patching the server and manually stamping out the infection, however if this is a client machine I would just give it a reimage and get rid of this headache.
0
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35077481
Since you traced it to one computer, you are already half way there. Next you have to check all services.

BTW, what OS is the offending machine running? If Windows 2000 + then go to start\run\ and then type services.msc and press OK. This will start the services applet. In here check the Log On As Column to see if the account that is being locked out is there.

Also, internet explorer might be trying to access a server with the username that is locked out. Check all passwords that are stored on the machine. In XP you can type control userpasswords2 and see all the username/passwords stored. In Win7, open control panel, go to user accounts then click on Manage your credentials. Also, you can use Internet Explorer to delete all history,stored forms passwords etc.

The last thing to check is if there is any program running that might be trying to login to your servers. Open up the Task Manager and see if there is any "dodgy" process. Kill it and try to stop it from starting again, restart the computer and monitor.

It is a slow process to get this sorted but if you follow the correct path, you will get there.

Regards
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 3

Expert Comment

by:sam0x01
ID: 35079267
Any authentication request from that computer could be causing it.

This may come from a service, scheduled task, program that runs in the backgound.

Running schtasks /v on the computer or schtasks /S [computername] /v remotely while the computer is powered on will show the scheduled tasks and the credentials they run under

Running wmic service get displayname,state,startname will show the services, state and username

Running wmic /node:[computername] service get displayname,state,startname remotely will do the same.

If this is a program not runnign as a scheduled task or a service, if it is a desktop, rebuilding it would bethe easiest thing to do.

Otherwise opening each installed program and script on the server will eventually find the one that is causing it.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35083955
Thanks for all of the advice.  I will be working on this issue today to see where the problem is.  I'll post an update as soon as I have something.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35096137
So the services on the system are all running as local or network services, and I just finished running a full scan for virus/spy ware.  Nothing so far. there are also no scheduled tasks on the machine.  To answer an above question this is a server 2003 machine.  However its not running all of the latest updates.  I will update the machine and install the lockout tools and post results.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35117149
I updated the system to the most recent.  And Used the tools.  After finding the reason using the tools I was able to kill the rogue service and fix things.  Thanks Very much for all of your help.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question